Taking Measures to Protect Your Public ApplicationsTuesday, March 24, 2015
With the Anthem disclosure, information security is again a hot topic in the news. In addition to the push to meet Meaningful Use requirements, organizations are feeling more pressure than ever to be connected and engaged with their patients. Much of this pressure comes from the patients’ own growing expectations that their healthcare data should be accessible to them at all times and from any location.
In this environment, keeping electronic patient health information (ePHI) safe can seem like an insurmountable task, and it may give the most experienced information technology professional some sleepless nights. But don’t despair just yet. I’ve outlined some simple steps that an organization can take to protect its applications from malicious attackers.
- Keep updated. Ensure that your applications and systems are patched and up to date. Attempting to manually track of all your patching requirements can be a time consuming endeavor. To help you ensure that your systems are updated in a timely manner, use tools like Microsoft’s Baseline Security Analyzer (MBSA) and Software Update Service (SUS) to ensure that your systems are secure and as up to date as required.
- Utilize third-party software. Use third party software to scan your applications for known vulnerabilities and configuration issues. Setting up scans on a regular interval is a good way to ensure that no changes to your production environment have had unintended consequences. There are several tools that can be used by non-profits that will allow for this kind of scanning and testing. Contact Purdue Healthcare Advisors for advice on how to do this.
- Keep employee access to a minimum. Ensure minimum necessary access to your system for all of your employees. Usernames and passwords are found to be a weakness of even the most secure organizations. As with the recent security breaches, organizations are being hit with advanced threats and targeted phishing campaigns in attempts to steal employee credentials. Therefore, limiting access your employees is a great way to protect your organization in case employee credentials are compromised.
- Lay out the network properly. Proper network outlay also is necessary to keep your information safe. Internet-facing services should be placed in your network’s DMZ (demilitarized zone). However, if you are hosting your own electronic health record system, that system should not be placed directly on the internet. Access to these systems should have further restrictions and potentially include additional firewalls and/or proxies.
These basic steps are a great way to help protect your organization’s ePHI. In addition to being best practices, all of these items are required by the HIPAA Security rule, so staying on top of them will properly prepare your organization for its next security risk assessment.
Gregory Barnes, MS, CISSP, CRISC, CHP, serves as a managing advisor for security services with Purdue Healthcare Advisors, where he works to implement healthcare industry-related security solutions with an emphasis on risk analysis for providers.
Tags: Health IT Security